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"Modern” 


OS & Applications 


* Architecture, languages, tools designed т 1960's 
& 1970's 
* Design parameters 
= resources scarce 
- environment benign 
- users knowledgeable and well trained 


= є? The World Changed 


* Machines are fast, memory is cheap 


* Ubiquitous computing means ubiquitous 
worms, viruses, scams, attacks, ... 


* Few users understand computers or 
software 


* Overview (лт) 
e Singularity OS (salen) 
e Language, compiler & runtime (David) 


e Opportunities cim 


New OS, programming language, tools from MSR 
- goal: more dependable system 
- attack problem from multiple directions 


Key points 


- advances in languages, compilers, and tools open the 
possibility of improving software 


Singularity uses these advances to build more 
dependable systems and applications 


systems built on Singularity expand software delivery 
opportunities 


Research vehicle, not Windows replacement! 


' 


Technological 


Advances 


* Integral support for correctness and 
verification 


- safe programming languages 
- optimizing compilers to reduce safety penalty 
- end-to-end validation of program properties 


— sound, specification-driven correctness tools 


New System 


Architecture 


* Major features 
- lightweight isolation and fault containment 


- channels for communication and interaction 


- integration of managed code runtime and OS 
- self-describing system 


- programming language extensions to improve 
dependability 


Software Isolated 


Processes (SIPs) 


* Lightweight managed code environment (not CLR) 


• Closed object (not address) space 


+ Rely on language safety (not VM hardware) 


» Verification 
« 


* Detect errors early, trust late 


* Verification serves two roles 
- prevent and detect programming errors 
- ensure system integrity 


8 E. == 


* Verifiable, efficient communications 


- channel contract specifies value and 
communication protocol 


- verify code obeys contract (compile time) 


- check communications against contract 
(runtime) 


* Kernel controls establishment of channels 


* Security policy tied to channels 


Channel 


Communication 


* Key is "send & forget" message semantics 


- message owned by at most one process 
* ownership transferred at send (no copies) 


- facilitates static protocol verification 
- enables efficient implementation 


= аў Process Independence 


• SIPs on Singularity are fully independent 

- no shared implementation or state (outside kernel) 

- по shared memory 

- garbage collector and runtime chosen to fit application 
GCs run independently 
OS terminates and reclaims resources 


* High degree of isolation 


- resource usage independently mediated by OS 
* e.g., can't force GC in another process 


- kernel API does not allow one process to affect another process 
- interact only through visible, system-mediated channels 


E аў Failure Isolation 


* Process is failure boundary 
- no shared data structures 
- clean failure notification on channel 
- resources reclaimed by OS 
* Communication partners should recover 
and continue 
- recovery is feasible, not transparent 
- e.g. device driver failure causes glitch 


Closed, Minimal 


Environment 


* No dynamic code loading or run-time code generation 
all code present when process starts 
- enable sound program analysis, optimization, compilation 
- extensions run in separate process 
- compile-time reflection (CTR) is partial replacement for code 
generation 
* Environment starts empty 
- SIP without channel cannot affect anything else 


- limit libraries to those appropriate for application 
* enforce design discipline 
* enforce system and security policy 


Uniform Extension 


Mechanism 


* SIPs used throughout system and 
applications 


— device drivers, system services, 
applications, extensions, ... 
* Single, general mechanism 
- implement correctly and efficiently 
- build language and tools support 


Security at process granularity (not CAS) 
Principal is triple: 

- machine 

- user 

= application (process) 


ACLs on resources 


Access checks when communication established 
- eg. channel to read/write file 
- can determine party at other end of channel 
- delegate permission by passing established channel 


= є? Applications 


® Application are first-class OS 
abstraction 


-code + resources + manifest 


-system controls installation 
« verify code & manifest 
• check for conflicts 


* Manifests describe components and 
dependencies 


E. аў Singularity Project 


Develop technology and infrastructure to build more 
dependable software 


- language support to increase software quality 

- tools to ensure correct software behavior 

= OS architecture that enhances system dependability 
- superior dependability, sufficient performance 
Large research project 

- ~догеп researchers & RSDEs 

- Redmond, Silicon Valley, Cambridge 
System running on hardware and Virtual PC 


Not Windows successor! 


e Overview от) 
* Singularity OS (calen) 
e Language, compiler & runtime (pavid) 


e Opportunities pm) 


Dependable Kernel 


kernel closed at boot time 
OS services moved to processes 


device drivers moved to 
processes 


reduced use of unsafe code 


Dependable processes 


processes closed at start time 


only trusted runtime code can 
use unsafe СЕ features 


application code Is 100% safe 
service code Is 100% safe 
device driver code is 100% safe 


Controlling Access 


to Hardware 


Hardware resources are accessed through classes in the trusted 
runtime 

IoPort, IoIrq, Iomemory, and торта 

IoPortRange, IoIrqRange, IoMemoryRange, and IoDmaRange 


The trusted runtime limits the creation of I/O objects to resources 
allocated by kernel to driver through an activation object 


Methods on 1/0 objects verify access before operating directly on 
hardware 


For example: 
Torortrange myDevicekange = Ioconfig.GetconfigO -Dynami crange [0 
Тороге maskPort = myDevicemange.PortAtoffset(A, 1, Access.write 
maskPort- rites (Oxf); 


Open research: How do we describe and verify register usage at 
hardware/software interface? 


Enabling Verification of 


Application Dependencies 


* Applications declare their system requirements and products 
using a set of custom attributes and an XML schema 


- code assemblies required 

- channels required 

- channels produced 

- hardware resources required (if driver) 

- hardware resources enumerated (if bus driver) 
* The OS uses this application metadata to 

- verify that an application is valid on this system 


- detect and resolve conflicts based on declared system policies 
= bind global resources to private names in activation objects 


=F Dynamic resources from ד‎ 


0 PCI config (frame buffer) 
Class s3TrioG4Resources : Drivercategorybeg? rón 
2 
^ Fixed resource. 
IoMemoryRange framesuffer; (VGA buffer) 


Tomemoryrange textBuf fer; 
Tem Fixed resource ] 


(SVGA ЏО Ports) 
Y Requires channel to 
parent process for 

control 


IoPortRange control; 


Tef<Extensioncontract. Exp:Start> pnp; 


TRef«ServiceProvidercontract.txp:Start» video; | Produces channel 
å for clients to access 
video device 


«/assenbltes> 

«endpoints count 
«extension startstaterde"3"endpointend="Exp" 
contractNames"Microsoft.Singular ity Extending. Extensioncontract" 
assenblys' 


'0x8000" index="0" /> 
j" Tength="0x20" index="2" /» 


lolemoryRange defaut 
«/dynami cResources> 


Channels ] 
= 


Se ae > 


Metadata-Driven 
Activation 


Execution In kernel 


TT 170 manager creates and Fills activation record 
Too tiq contig = new totong 

config. dynamtekanges[0] = nex kesemor yRange(0x40000000, 0x800000); // PCI 
config. Fi xedRanges[0] = new Zertemor yranget0xb8000, 0x8000); 
config. Fi edkanges(21 = new ZoPoreRangetOx3c0, 0x20); 
Багаас 


Trusted execution 
|. In driver process 


7] activation object filled from activation record 
сатови ег = (IcMamoryRange)Ioconfig.GetconfigO .Dynami cRanges [0] 
textuffer = (IoMemoryRange) config. GetconfigO . FixedRanges [0]; 
control = (roPortRange)config.GetconfigO .FixedRanges[2] 


ServiceProvidercontract.txp video = S3TrioGiRescurces.video.AcquireO i 
ideo. Recvconnect (out. client); ~ 


Application code in | 
driver 


Verifying Kernel 
0 


Dependencies 


Target Device 


Class Libraries: Class Libraries 
(DLLs) (DLLS) 


Program 

* Application Binary Interface (ABI) 5 (EXE) (EXE) 
= minimal interface (71150 functions) 

- defined by complied ILL" assembly 


= Insertbed into app at compile time 
* ABI Is a functional (not-OO) АРІ 
— only value types cross ABI Reference 
= separates app and kernel GC domains 
= wrapped In BCL for ease of use 


* ABI maintains process independence 
= gross-process operations exclusivel ABI V1 Shim 

rough channels 1 

* ABI is layer of indirection for replacing 


implementation Kernel V2 


erface Load Lbrar (ILL): å MSIL Assembly containing publics w/o code 


9 But is it efficient 
= 


enough to use? 


YES! BEN mss | ono | n 


Minimum 5 
kernel API call 201 m 547 on 
Message 5 2 (LPC) 4,653 
request/reply es] 23616) (Ny 13571 


Process 


create & start | 218/236 


807,581| 658,911 7,231,038 


* Why? 
= Because all SIPs run in ring O 
- Because static verification replaces hardware protection 
- Because we use å good optimizing compiler (not JIT) 


© Overview от) 
e Singularity OS (Galen) 
e Language, compiler & runtime (ova) 


* Opportunities pm) 


Language, Compiler, 


and Runtime 


Sings is extended dialect of C# 
= built on Брес“ 


- extensions for systems programming, program specification, 
and verification 


Bartok Research Compiler 


- highly optimizing ahead-of-time compiler compiles MSIL to 
native x86 machine code 


Bartok Runtime System 
= lightweight, customizable run-time system 


Verifier 
- extended version of MSIL verification 


Supported 


Core types + object model instructions 


- Integers, floats, objects, managed 
pointers, unmanaged pointers 


Garbage collection, including finalizers, 
weak references 


Exception handling 
Lazy type initialization 

Delegates 

Unsafe code (kernel, runtime use only) 
Data layout attributes 


Generics (coming soon) 


Not Supported 
* Dynamic class loading 


* Reflection: very limited 
support 


* Code access security 


* Platform invoke 


Language Extensions for 


Systems Programming 


Control over class initialization 
- require a class constructor be run at process start up. 
- specify initialization order 


[NoHeapallocation] attribute 


- Compile-time check that а method (and its calles) does not 
heap allocate 


Overlays for type-safe structural casts of arrays of scalars 


Struct inheritance 
- allow a struct to inherit all the fields/methods of a parent struct 


And more 


Language Support for 


Message Passing 


Extending languages simplifies coding and facilitates static 


checking 


Channel contracts specify valid protocol sequences and 


types for messages 


Switch-receive statement for asynchronous event pattern 


matching 


Exchangeable types for data passed by messages 


data lives outside per-process GC heaps, 
ownership changes when sent across message 


explicit resource management for exchangeable data and 
channel endpoints 


compiler verified, so it is safe! 


Contract declares 
- message types (name, argument types, direction) 
- state machine defining all valid message sequences 


Provides 

- channel endpoint types: Imp, Exp. 

= channel construction method 

- typed send and receive methods 

Efficient 

- pre-allocated buffers 

- state machine and finite outstanding messages 


» Compiling and Running 
= 


Managed Code 


1. сотрие to 2. Verify 3. Compile 4. Link 
MSIL to native 
code 
E: + 
sge 
(Sing# frontend) Verifier 
+ + 


[7 | 


Compiling to Native 


Code 


* Extensive optimization 
- 30+ optimizations: high-level, medium-level, code 
generation, runtime focused 
• Assist specialization of runtime system 


- automatically remove unused or disabled language 
features 


- tree-shaking eliminates unused classes/methods/fields 


* Whole program and separate compilation 
- closed processes allow whole program optimization 


— predecessor compiler (Marmot) demonstrated whole 
program performance competitive with C/C++ 


Managed Code 


Optimizations 


• — Tree-shaking (whole program * ^ Optimize class initialization 


dé 
mode) - Eliminate redundant checks 
= Eliminate unreachable or 

unused classes, interfaces, - — Fast/slow path split 


methods, and fields 
* Redundant field load/store 
Array-bounds check elimination 
elimination 


• — Optimize convert operations 
Array store check elimination 
-  Widening/narrowing, 


* — Null check elimination introduced by use of 
argument stack 


• — Devirtualization of virtual calls 
Eliminate unused formal 


Type-test and type cast parameters 


elimination 
e — Compress paths of struct 
operations 


Lightweight Runtime 


System 
] 
1. Mark sweep Automatic | 
2. Mark sweep. L— storage Virtual table and 
compact object layout 
3. Concurrent mensqement | 
4. Semi-space 
copying Threading and 
5. Gen. copying synchronization 
6, Reference. | 
unting 
ee s Type tests 
Core datatypes: 
nn integers, 
Exception floating point, 
hancig arrays, strings 


Interface calls 


Compiling Runtime 


System and Libraries 


Bartok modular 

runtime system Em 
Libraries: 
«NET E TET пе — 
«Singularity app = а 
«Singularity kernel 


ЕЕ 


| They're compiled, optimized, and linked, just like 
everything else 


Dynamic Memory Usage: 


Hello World 


Virtual address size (bytes) 
[Singularity | FreeBSD | Linux | Windows 
C w/ static lib | | 232K| 1,788K| 663K 


C++ w/ static lib | | 70| 2,372K| 6 
Cf w/ GC | א316‎ | | | 3,750 


© Overview от) 
e Singularity OS (salen) 
e Language, compiler & runtime (David) 


© Opportunities pm) 


DI аў Software as а Service 


Free users from system administration 


* Deliver and remotely support software 
= 529,99/уг to support Office on your home machines? 
• Why Singularity? 
- strong isolation 
processes cannot Interfere with each other 
* System has explicit and total control over communication mechanism 
- safe execution environment 
* OS controls verification, compilation, and run-time libraries 
- remotely administrable 


* OS controls installation and configuration 
* detect conflicts before execution 


- security model 
* identify and protect application resources (files, metadata) 


Developers cannot anticipate or satisfy all uses of their software 
= non-trivial software provides rich extension mechanisms (COM, VBA, ..) 


No safe way to host extensions to web site 
= eg. Amazon.com storefronts or eBay bidding agent 


Developer with new idea must operate web site 
Why Singularity? 
= strong isolation 


= safe execution environment 


= remotely administrable 


= security model 


f Example | 


amazon.com web site 


m. Questions? 


e http://singularity 


* DLs: 

- Singularity Design Notices: singnote 

- Singularity Questions and Answers: singqa 
* Source access: 

- business need 


— or, willingness to contribute to the project 
* e.g., OSS model with Singularity team as filters 


